Last Friday, the Federal Energy Regulatory Commission issued an order requiring physical protection of major substations and other facilities of electric utility companies, in the wake of a sniper attack on a San Jose, Calif., PG&E Corp. substation. Regulators are trying to identify serious threats to the operation of the U.S. electric grid. A standards-writing organization will work with utilities “to determine which sites are essential, define threats and develop physical-protection standards,” according to The Wall Street Journal.
But the more imminent threat to the security of electric utility operations may be a lot less sinister than a sniper: Microsoft Corp.’s plan to end support for the Windows XP operating system next month. The Wall Street Journal says Windows XP “is widely used on workstations in nearly all of the electric and gas utilities in the United States,” and the loss of vendor support could make those workstations easier to hack.
When Microsoft stops providing security updates or technical support for Windows XP, on April 8, “it will be easier for cyberattackers to create malicious software that could take advantage of the unpatched OS to create regional blackouts or industrial accidents,” the WSJ quoted Michael Assante, former vice president and chief security officer for the North American Electric Reliability Corp., as saying.
Security experts are particularly concerned about XP’s use on workstations in utility control centers that supervise operational conditions in the field, like the amount of pressure in a particular gas line.
Why are electric utilities three generations behind with their Windows operating system? Upgrading to Windows 7 or Windows 8 would cost a utility company more than $100 million and take years, partly because of customization and partly due to the need to ensure that the upgrade works with legacy systems. In the past, when electricity plants weren’t as well connected to networks as they are today, an outdated operating system was not as big a security risk.
Microsoft will continue providing updates to its “antimalware signatures and engine for Windows XP users through July 14, 2015,” according to the software giant, but “antimalware solutions on out-of-support operating systems [are] limited.”
According to Netmarketshare, as of February 2014 Windows XP was running on 29.23 percent of all the desktops the U.K. group detected online.